Closed
Bug 55070
Opened 24 years ago
Closed 18 years ago
XBL needs simple defense against D.O.S./infinite recursion
Categories
(Core :: XBL, defect, P3)
Core
XBL
Tracking
()
RESOLVED
FIXED
Future
People
(Reporter: brendan, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: testcase, Whiteboard: [rtm-])
Attachments
(7 files, 2 obsolete files)
641 bytes,
application/xhtml+xml
|
Details | |
720 bytes,
application/xhtml+xml
|
Details | |
639 bytes,
application/xhtml+xml
|
Details | |
467 bytes,
application/xhtml+xml
|
Details | |
639 bytes,
application/xhtml+xml
|
Details | |
41.72 KB,
image/png
|
Details | |
11.63 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
Denial of service, or more likely, XBL author error, can lead to infinite recursion and other runaway conditions. A few obvious ones: two bindings that extend each other; a bindingattached handler that clones a node and inserts it in the document, causing the same handler to run again, cloning another node, etc. /be
Reporter | ||
Comment 1•24 years ago
|
||
From hyatt's posting to m.xpcom: div { -moz-binding: url(myfile.xml#mybinding); } <binding id="mybinding"> <content> <html:div/> </content> </binding> /be
Comment 3•24 years ago
|
||
Ick. Cancel out of that cloneNode testcase after letting it go ~6 recursions deep. When you subsequently do 'File->Quit', on Windows (but not Linux), mozilla-the-process never fully dies. It seems to be exercising a bug in Win2k (both trunk and PR3-opt builds). When you break on the zombie process in the debugger, it says "DBG: Break command failed within 3 seconds. DBG: Potential deadlock. Soft broken.", and the 'stack' is pointing at OLE32.dll, USER32.DLL, and NTDLL.DLL.
Comment 6•20 years ago
|
||
*** Bug 167148 has been marked as a duplicate of this bug. ***
Comment 7•20 years ago
|
||
*** Bug 271483 has been marked as a duplicate of this bug. ***
Comment 8•19 years ago
|
||
*** Bug 287303 has been marked as a duplicate of this bug. ***
Comment 9•18 years ago
|
||
I accidentally filed bug 350754, which is a duplicate of this one, but someone made a fix for that, for a certain type of xbl recursion. This is another case of recursion in xbl, which isn't fixed by that patch. Talkback ID: TB23024067K NS_EscapeURL [mozilla\xpcom\io\nsescape.cpp, line 440]
Comment 10•18 years ago
|
||
This is the recursive cloneNode case, just one page for easy viewing. It doesn't crash Mozilla, it just freezes and slowly eats all available memory.
Attachment #16090 -
Attachment is obsolete: true
Updated•18 years ago
|
Assignee: hyatt → general
QA Contact: jrgmorrison → ian
Comment 11•18 years ago
|
||
So the "recursive cloneNode" thing is not something we can do much about, really... that could be done without XBL too -- just keep cloning nodes. The other we should fix; probably with a check similar to bug 350754.
Depends on: 350754
Assignee | ||
Comment 12•18 years ago
|
||
Assignee | ||
Comment 13•18 years ago
|
||
Assignee | ||
Comment 14•18 years ago
|
||
Assignee | ||
Comment 15•18 years ago
|
||
Something like this perhaps?
Attachment #241729 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 16•18 years ago
|
||
Comment 17•18 years ago
|
||
Comment on attachment 241729 [details] [diff] [review] Patch rev. 1 >Index: dom/locales/en-US/chrome/layout/xbl.properties >+CircularExtendsBinding=Extending the XBL binding "%S" with "%S" would make it circular Maybe more like: Extending the XBL binding "%S" with "%S" would lead to it extending iteself. or something? >Index: content/xbl/src/nsXBLService.cpp >+ aDontExtendURIs.AppendElement(aURI); Need to return error if this fails. >@@ -1008,27 +1022,48 @@ >+ PRBool equal; >+ if (NS_FAILED(uri->Equals(bindingURI, &equal)) || equal) { I think if the Equals() call fails we should just return that error instead of reporting the recursion error message to the console. >Index: content/xbl/src/nsXBLService.h >+ nsresult GetBinding(nsIContent* aBoundElement, nsIURI* aURI, >+ PRBool aPeekFlag, PRBool* aIsReady, >+ nsXBLBinding** aResult, >+ nsVoidArray& aDontExtendURIs); Document, please. And is there a reason not to be using nsTArray<nsIURI>& for the array? And probably pre-initi it to a size of 8 (or whatever measurements show?) since we only use it on the stack and generally don't have too deep a extends tree.
Attachment #241729 -
Flags: review?(bzbarsky) → review-
Assignee | ||
Comment 18•18 years ago
|
||
(In reply to comment #17) > Maybe more like: > ... would lead to it extending iteself. Fixed. > >+ aDontExtendURIs.AppendElement(aURI); > Need to return error if this fails. Fixed. > I think if the Equals() call fails we should just return that error > instead of reporting the recursion error message to the console. Fixed. Also fixed IsAncestorBinding() in the same way (bug 350754). > ... is there a reason not to be using nsTArray<nsIURI>& for the array? Yes, nsTArray<E> requires that E has a copy ctor and nsIURI is abstract. http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/xpcom/glue/nsTArray.h&rev=1.22&root=/cvsroot&mark=185#178 I changed nsVoidArray& to nsTArray<nsIURI*>& instead. > ... pre-init it to a size of 8 (or whatever measurements show?) Measuring: starting Firefox, open Preferences, open DOMI. Distribution of 1361 GetBinding() calls gave these array sizes: 1: 514 2: 160 3: 360 4: 142 5: 136 6: 49 none had 7 or more. (Just starting Fx also gave a 1..6 distribution.)
Attachment #241729 -
Attachment is obsolete: true
Attachment #242320 -
Flags: superreview?(bzbarsky)
Attachment #242320 -
Flags: review?(bzbarsky)
Comment 19•18 years ago
|
||
> I changed nsVoidArray& to nsTArray<nsIURI*>& instead.
Er, that's what I meant. nsTArray<nsIURI> was a typo. ;)
Comment 20•18 years ago
|
||
Comment on attachment 242320 [details] [diff] [review] Patch rev. 2 >Index: content/xbl/src/nsXBLService.cpp >+nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, >+ NS_ENSURE_TRUE(aDontExtendURIs.AppendElement(aURI) != nsnull, Shouldn't need the != nsnull thing there, right? With that nit, looks great! r+sr=bzbarsky
Attachment #242320 -
Flags: superreview?(bzbarsky)
Attachment #242320 -
Flags: superreview+
Attachment #242320 -
Flags: review?(bzbarsky)
Attachment #242320 -
Flags: review+
Assignee | ||
Updated•18 years ago
|
Assignee: general → mats.palmgren
Assignee | ||
Comment 21•18 years ago
|
||
(In reply to comment #20) > >+ NS_ENSURE_TRUE(aDontExtendURIs.AppendElement(aURI) != nsnull, > > Shouldn't need the != nsnull thing there, right? Right, I was thinking of bug 340244 but NS_ENSURE_* doesn't suffer from that. Checked in to trunk (without the "!= nsnull") at 2006-11-08 17:58 PDT. -> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•